[Samba] dc1 stopped replicate after kutil change

John Farmer jfarmer at industrialinfo.com
Thu Jul 8 14:34:10 UTC 2021

We are having an issue with replication after a kutil  change was made.

Replication from dc1 to dc2-12 is failing:

samba-tool drs showrepl

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to 
dc1.ad.companyname failed - drsException: DRS connection to 
dc1.ad.companyname failed: (3221225581, 'The attempted logon is 
invalid. This is either due to a bad username or authentication information.')
   File "/usr/lib64/python3.6/site-packages/samba/netcmd/drs.py", 
line 55, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) 
= drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File "/usr/lib64/python3.6/site-packages/samba/drs_utils.py", line 
63, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))

With further debug we found this error:

Failed to get kerberos credentials: kinit for DC1$@AD.companyname 
failed (Preauthentication failed)

Wrong username or password: kinit for DC1$@AD.companyname failed 
(Preauthentication failed)

kinit -V -k -t /etc/krb5.keytab DC1$@AD.companyname
Using default cache: /tmp/krb5cc_0
Using principal: DC1AD.companyname at AD.companyname
Using keytab: /etc/krb5.keytab
kinit: Keytab contains no suitable keys for 
DC1AD.companyname at AD.companyname while getting initial credentials

kinit -V -k -t /etc/krb5.keytab
kinit: Cannot determine realm for host (principal host/dc1.ad.companyname@)

Looks like someone made some changes using adcli, we can't quite 
figure out what is going on.

this issue is only on dc1 not on any of the other dc's

More information about the samba mailing list